Attackers Distribute Malware via Freeze.rs And SYK Crypter | FortiGuard Labs

Affected platforms: Windows
Impacted parties: Any organization
Impact: Controls victim’s device and collects sensitive information
Severity level: Critical

FortiGuard Labs recently detected a new injector written in Rust—one of the fastest-growing programming languages—to inject shellcode and introduce XWorm into a victim’s environment. While Rust is relatively uncommon in malware development, several campaigns have adopted this language since 2019, including Buer loader, Hive, and RansomExx. FortiGuard Labs analysis also revealed a significant increase in injector activity during May 2023, where the shellcode can be encoded with Base64 and can choose from encryption algorithms such as AES, RC4, or LZMA to evade antivirus detection.

By examining the encoded algorithms and API names, we identified the origin of this new injector in the Red Team tool “Freeze.rs,” designed to create payloads able to bypass EDR security controls. Additionally, during our analysis of the attack, we discovered that SYK Crypter—a tool commonly used to deliver malware families via the community chat Discord—was involved in loading Remcos, a sophisticated remote access Trojan (RAT) that can be used to control and monitor devices running Windows. SYK Crypter emerged in 2022 and has been used by various malware families, including AsyncRAT, njRAT, QuasarRAT, WarzoneRAT, and NanoCore RAT.

FortiGuard Labs observed phishing email activity on July 13 that initiated an attack chain using a malicious PDF file. This file redirects to an HTML file and utilizes the “search-ms” protocol to access an LNK file on a remote server. Upon clicking the LNK file, a PowerShell script executes Freeze.rs and SYK Crypter for further offensive actions. Eventually, XWorm and Remcos are loaded, and communication with the C2 server is established.

In this article, we will delve into the initial attack method employed to deliver the Rust-lang injector, SYK Crypter, and further explore the subsequent stages of the attack.

Initial attack method employed to deliver SYK Crypter

Initial Access

The phishing email, displayed in Figure 1, masquerades as an urgent order supplement request sent to various companies to deceive the recipient. It also employs a blurred image in the PDF file to entice the victim to click a concealed button. The attached PDF file is shown in Figure 2.

Figure 1: Phishing email


Figure 1: Phishing email

Figure 2: PDF file


Figure 2: PDF file

The malicious URL was hidden in a stream object (/ObjStm), making it challenging to detect. However, extracting the URL by pdf-parser reveals that it is located in object 14 within stream object 1, as shown in Figure 3.

Figure 3: URL in the stream object


Figure 3: URL in the stream object

Upon clicking the file, the victim connects to the URL https://www[.]cttuae[.]com/ems/page[.]html, a website that seemingly offers travel services. The attacker had uploaded a malicious HTML file to the “ems” path on July 12, with the source code displayed in Figure 4.

Figure 4: HTML page “page.html”


Figure 4: HTML page “page.html”

Instead of directly downloading a virus, the attacker adopts a more sophisticated approach by utilizing the “search-ms” protocol to trigger a search result. Specifically, they search for “ORDER_SPEC0723” on a remote cloud storage server facilitated by DriveHQ. Notably, the file “ORDER_PSEC0723” masquerades as a PDF file icon, but upon closer inspection, it is revealed to be an LNK file that executes a PowerShell script within the same folder, as shown in Figure 5. This tactic allows the attacker to initiate their malicious activities discreetly.

Figure 5: Search result and the LNK file “ORDER_PSEC01723”


Figure 5: Search result and the LNK file “ORDER_PSEC01723”

The PowerShell script “pf.ps1” (Figure 6) is then executed, beginning with the use of “regsvr32” to launch the injector “doc.dll,” which was written in Rust. It opens the decoy PDF file “T.pdf” and executes “AA.exe.” Finally, all File Explorer windows are closed using “Stop-Process -Force.” The PDF file “T.pdf” in Figure 7 appears clean and contains clear text, intending to distract the victim from other malicious actions. The following section will look in detail at “doc.dll” and “AA.exe.”

Figure 6: PowerShell script “pf.ps1”


Figure 6: PowerShell script “pf.ps1”

Figure 7: Decoy file “T.pdf”


Figure 7: Decoy file “T.pdf”

Rust injector – doc.dll

Figure 8 reveals that the injector was written in the Rust programming language, based on the string section analysis.

Figure 8: String section


Figure 8: String section

The injection process begins with creating a “notepad.exe” process using CreateProcessA. The shellcode is subsequently obtained through Base64 decoding and LZMA decompression. The injector then injects the shellcode using functions directly with the NTAPI library. This entire process mirrors the behavior of the Red Team tool “Freeze.rs” which was launched in May, showing rapid adoption of this new tool.” The source code and injector’s assembly code showcased in Figure 9.

Figure 9: Shellcode injection


Figure 9: Shellcode injection

Over the past month, we’ve compiled a collection of diverse Rust injectors, including DLL files with LZMA-compressed shellcode, DLL files featuring RC4-encrypted shellcode, and EXE files incorporating RC4-encrypted shellcode. The shellcode data within these injectors are all encoded using Base64, and intriguingly, the file type and encryption algorithm appear to be selectable options within the program. This observation aligns seamlessly with the options found in the “Freeze.rs” repository, suggesting a potential connection to this Red Team tool. The flexibility in choosing encryption methods and file types adds to the sophistication of these injectors, further complicating detection and analysis for security researchers.

Figure 10: “Freeze.rs” options


Figure 10: “Freeze.rs” options

When utilizing the RC4 algorithm variant, the key is expanded to 256 bytes and used in the Pseudo-Random Generation Algorithm (PRGA). The corresponding source code and assembly for this injector variant can be seen in Figure 11. Upon comparison, it becomes evident that this attacker employs “Freeze.rs” to bypass EDRs and utilizes suspended processes. The decrypted shellcode can be found at address 0x650000, as shown in Figure 12.

Figure 11: RC4 decryption


Figure 11: RC4 decryption

Figure 12: Decrypted shellcode


Figure 12: Decrypted shellcode

The decrypted shellcode applies AMSI bypass and WDLP bypass techniques, subsequently executing a .NET payload. Once executed, the .NET assembly can be dumped from memory address 0x1AAB6E70, as depicted in Figure 13, allowing for analysis as a stand-alone .NET executable.

Figure 13: Decrypted .Net payload


Figure 13: Decrypted .Net payload

The .NET payload discovered in the process is known as XWorm, a commodity RAT tool reportedly traded in underground forums. XWorm is equipped with typical RAT functionalities, including gathering machine information, capturing screenshots, logging keystrokes, and establishing control over compromised devices. In this instance, the XWorm payload version is v3.1, and the C2 server information remains hidden on the “pastebin.com” website, as illustrated in Figure 14.

Figure 14: XWorm V3.1 and the C2 server IP address on pastebin.com


Figure 14: XWorm V3.1 and the C2 server IP address on pastebin.com

MSIL Downloader – AA.exe

The execution file, “AA.exe,” operates as an MSIL downloader and has two links embedded: “95[.]214[.]27[.]17/storage/NAR” and “plunder[.]ddnsguru[.]com/storage/NAR”.

Figure 15: MSIL downloader’s links


Figure 15: MSIL downloader’s links

Upon download completion, “AA.exe” utilizes the file name “760” as the decoding key and performs a subtraction operation with each byte in the downloaded data. The decoded data is a SYK Crypter with a resource named “SYKSBIKO,” which contains the encrypted payload. The DLL file checks to ensure the environment is not in debug mode and then proceeds with processing the resource data by employing RC4 decryption with the key “gOhgyzyDebuggerDisplayAttributei.” It invokes a small .NET code, “Zlas1,” for further deflation.

Figure 16: Calling .Net code for decompression


Figure 16: Calling .Net code for decompression

To evade detection, SYK Crypter encoded the strings utilized in its execution flow, with the decoding function depicted in Figure 17. Additionally, it employs functions like “GetProcessesByName,” “Directory.Exists,” and “File.Exists” to assess the presence of security appliances within the compromised environment. The list used for checking is found in Figure 18.

Figure 17: String Converter function


Figure 17: String Converter function

Figure 18: Security appliance checking list


Figure 18: Security appliance checking list

For persistence, the malware appends the “.exe” extension to the file “AA” and copies the MSIL downloader to the “Startup” folder. It also adds a registry entry “Run” at “HCKUSOFTWAREMicrosoftWindows NTCurrentVersionWindows.” The corresponding code is depicted in Figures 19 and 20.

Figure 19: Copy self to “Startup”


Figure 19: Copy self to “Startup”

Figure 20: Add Registry


Figure 20: Add Registry

After RC4 decryption and deflation of the resource data “SYKSBIKO.Properties.Resources.resources‎‎.a,” the execution file is obtained, as shown in Figure 21. SYK Crypter then loads a Base64 .NET code and calls its “GetDelegateForFunctionPointer” function, creating delegation to all APIs from kernel32  or ntdll in the same method. Figure 22 shows a snippet loading “kernel32!WriteProcessMemory,” following which the decrypted payload is injected into a process.

Figure 21: Decrypt resource data from SYK Crypter


Figure 21: Decrypt resource data from SYK Crypter

Figure 22: Invoke “GetDelegateForFunctionPointer” to get API


Figure 22: Invoke “GetDelegateForFunctionPointer” to get API

The injected payload is the Remcos RAT, originally designed as a legitimate tool for remote computer control. However, since its release in 2016, hackers have exploited it to gain control over victims’ devices. The configuration can be obtained by RC4 decrypting the “SETTINGS” resource, with the clear configuration displayed in Figure 24. Interestingly, the C2 server IP address remains the same as the XWorm payload’s.

Figure 23: Encrypted configuration in “SETTINGS”


Figure 23: Encrypted configuration in “SETTINGS”

Figure 24: Decrypted configuration


Figure 24: Decrypted configuration

Conclusion

The combination of XWorm and Remcos creates a formidable trojan with an array of malicious functionalities. The C2 server’s traffic report, as shown in Figure 25, reveals Europe and North America as the primary targets of this malicious campaign. As part of their strategy, the phishing campaign utilizes a PDF stream object and leverages the “search-ms” feature to entice unsuspecting victims. To further evade detection, threat actors adeptly use the Rust injector “Freeze.rs” and the MSIL file “SYK Crypter.” In this blog, we delved into the attack methodology employed through phishing emails and examined the various files involved in deceiving victims. Moreover, we provide a comprehensive overview of the functionalities within Freeze.rs and detail the workings of SYK Crypter. Given these developments, users should continue to exercise vigilance in handling suspicious mail and remain alert to potential threats.

Figure 25: Telemetry


Figure 25: Telemetry

Fortinet Protections

The malware described in this report are detected and blocked by FortiGuard Antivirus as:

PDF/Agent.5D50!tr
LNK/Agent.AB!tr
HTML/Agent.S!tr
W64/Injector.MM!tr
MSIL/Agent.DWN!tr
MSIL/Agent.OFI!tr.dldr
MSIL/Agent.VJP!tr
W32/Remcos.A!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service blocks the malicious URL and IP address.

If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.

IOCs

Hostname:

freshinxworm[.]ddns[.]net
churchxx[.]ddns[.]net
plunder[.]ddnsguru[.]com
plunder[.]dedyn[.]io
plunder[.]jumpingcrab[.]com
plunder[.]dynnamn[.]ru

IP Address:

95[.]214[.]27[.]17

Files:

40c9d3dec84aa057c167005f860749a2cfa55faa0cddd2fe39aaf3906819203c
5a47b18066d8dcd0fbc524f529002cf0a270d8394de928e8426fa06959a82704
40041c3240eaa39da781a68f6a60f93577f1b0bbdaee5a0297d7fe329c073baa
908656aecc2ae845249acb392fbaa5ba3f8d26b05f4d762afb85b622f7eadcf0
ca0efb6da9edbe627ab206a7f494adb42f8483da1d574ddb8f723c1ddfeaecc4
09505b5cf1541b783f14b1bf1403b918fae70f049d72f47439bd068a43ed8e0a
88aeb09dcc59858c9969b7ae1e0e2b58f0aa90b2d27a5edfe9cd82e602ed5952
f44e495e1301866188a62916859075ed73d13193823c69884312f04785707279
d7e684fe7f3729edd70e2855528af3e634789155d687ed98911d1d2f0200d2a6
6c6da5a649f9165834c24ac8f7e2332a5612eda54312dcc9f107ab29182e58c9
b499cdefac0faa328775ebb6e64b351ee43498532f987743a5a6dcfd5266f20f
58235e47d5f5b8218da1d5e9dd3449c4f8969f038bba018521f9884fa1cdf693
dd806527cd56244208ee530ee26c90004eb7af343ffdb618c031f63cb1d0e240
9ce4e79962ec3e5a307282afcb72b4da39c4a2aace29f3f85c060d8c07cf3905
47e238a43f9cc38f2d4e449c7d8a557b990e60773ad02820717a634c22b609be
c4e613ee1365d8561be02525896c095c8a3fda3199f2f615ab32a644f3d90451
b54a4f92b1081f0c10a41c2404d51ed340181c485751efb974113a5cf401ad9c
b26144c6e42601f1f1be09ece7c7fcb127637db3b953065648d1b1f371da7e8a
904343ba2502d390b36403181e77192a62f31e98c87eb91906fbae27019b4c0d
98ab2fc44063d4e00f221e502419d9cca598fafb9e1e00352149327267604bc1

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio.

Source: https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter